dcrat | c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013

Analysis

max time kernel
60s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
Size

2.6MB
MD5

211d71bd2e87ea410f7990390866e140
SHA1

81873ad085c91853a1217ec22e211a5433914764
SHA256

c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013
SHA512

be979feb800b91ac22bdae27867b227332fad764e7927caa193d2c611d7fcabb820ce89dbab25511add1e326f630fbfbff23b8465d9fe3478a41a1e3d8d60d0a
SSDEEP

49152:emi19AidDFahbHmYZuRJv0uEORfMDsSfFaMpDsrmcY4:et9zFahbHmR5GOZQL

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2444	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2444	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2080-1-0x0000000000F40000-0x00000000011E6000-memory.dmp	dcrat
behavioral1/files/0x000600000001755b-27.dat	dcrat
behavioral1/files/0x0005000000019d69-72.dat	dcrat
behavioral1/files/0x000a000000016cd7-106.dat	dcrat
behavioral1/files/0x000800000001749c-117.dat	dcrat
behavioral1/files/0x00060000000186ed-140.dat	dcrat
behavioral1/files/0x0008000000019246-174.dat	dcrat
behavioral1/files/0x0006000000019278-197.dat	dcrat
behavioral1/memory/2184-221-0x00000000012B0000-0x0000000001556000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2184	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\WmiPrvSE.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\sppsvc.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Program Files (x86)\Microsoft Office\24dbde2999530e	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RCXC8CA.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Program Files\Uninstall Information\24dbde2999530e	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Program Files\Windows Mail\en-US\sppsvc.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RCXC8C9.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\wininit.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\RCXD478.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Program Files\Internet Explorer\de-DE\wininit.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Program Files\Windows Mail\en-US\0a1fd5f707cd16	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCXCD6F.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCXCD70.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\RCXD477.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXD67C.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXD6EA.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Program Files\Uninstall Information\WmiPrvSE.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Program Files\Internet Explorer\de-DE\56085415360792	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\36c3543f347649	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Windows\Offline Web Pages\f3b6ecef712a24	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Windows\IME\taskhost.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Windows\Setup\State\spoolsv.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Windows\Setup\State\spoolsv.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXC1C1.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Windows\Offline Web Pages\spoolsv.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Windows\TAPI\services.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Windows\Cursors\RCXBF4F.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Windows\Setup\State\RCXBABA.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Windows\Cursors\RCXBF50.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Windows\IME\RCXC657.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Windows\IME\RCXC6C6.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Windows\TAPI\RCXD95B.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Windows\TAPI\RCXD95C.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Windows\Setup\State\f3b6ecef712a24	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Windows\IME\b75386f1303e64	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Windows\IME\taskhost.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Windows\TAPI\c5b4cb5e9653cc	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Windows\Setup\State\RCXBAB9.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Windows\Cursors\c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXC1C2.tmp	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File opened for modification	C:\Windows\TAPI\services.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Windows\Cursors\c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
File created	C:\Windows\Offline Web Pages\spoolsv.exe	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2760	schtasks.exe
1972	schtasks.exe
616	schtasks.exe
1300	schtasks.exe
340	schtasks.exe
2076	schtasks.exe
2652	schtasks.exe
1948	schtasks.exe
2172	schtasks.exe
1644	schtasks.exe
2796	schtasks.exe
2968	schtasks.exe
2044	schtasks.exe
2152	schtasks.exe
1460	schtasks.exe
2900	schtasks.exe
2824	schtasks.exe
2360	schtasks.exe
2472	schtasks.exe
2812	schtasks.exe
788	schtasks.exe
1864	schtasks.exe
1284	schtasks.exe
2704	schtasks.exe
1132	schtasks.exe
1768	schtasks.exe
1896	schtasks.exe
2016	schtasks.exe
2768	schtasks.exe
2920	schtasks.exe
3024	schtasks.exe
2752	schtasks.exe
920	schtasks.exe
1840	schtasks.exe
2728	schtasks.exe
2596	schtasks.exe
1852	schtasks.exe
2956	schtasks.exe
2744	schtasks.exe
1908	schtasks.exe
1296	schtasks.exe
2248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2080	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
2184	spoolsv.exe
2184	spoolsv.exe
2184	spoolsv.exe
2184	spoolsv.exe
2184	spoolsv.exe
2184	spoolsv.exe
2184	spoolsv.exe
2184	spoolsv.exe
2184	spoolsv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2184	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
Token: SeDebugPrivilege	2184	spoolsv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2980	2080	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe	74
PID 2080 wrote to memory of 2980	2080	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe	74
PID 2080 wrote to memory of 2980	2080	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe	74
PID 2980 wrote to memory of 1560	2980	cmd.exe	76
PID 2980 wrote to memory of 1560	2980	cmd.exe	76
PID 2980 wrote to memory of 1560	2980	cmd.exe	76
PID 2980 wrote to memory of 2184	2980	cmd.exe	77
PID 2980 wrote to memory of 2184	2980	cmd.exe	77
PID 2980 wrote to memory of 2184	2980	cmd.exe	77

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe
"C:\Users\Admin\AppData\Local\Temp\c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N9Q7SmhqYe.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1560
- - C:\Windows\Setup\State\spoolsv.exe
    "C:\Windows\Setup\State\spoolsv.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Setup\State\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013Nc" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N" /sc ONLOGON /tr "'C:\Windows\Cursors\c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013Nc" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\IME\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\AppData\Roaming\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\Roaming\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Uninstall Information\RCXD6EA.tmp

Filesize
2.6MB

MD5
4be1608361cfddaaeb8ec78c3b92e3ab

SHA1
64d3f317632dbe53665220b1b4aeefbd8e332c96

SHA256
fbd938ab3c09bb5e444b0660083e191610d1771e8ace293dda201f14d7f5e072

SHA512
db2526a9a6a82dd267787d75d56b54cd18a1a73b1e8b9352fb899a1cc788c04b0a46b74b33575648085524ba5629899796cb140aeace29381a6a9e97bbcd0594

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe

Filesize
2.6MB

MD5
435685b66e84b36283b1e92eeb0c4607

SHA1
f0f3b5df6c34e1015a4112b2e8c9b0ae5a0dabf1

SHA256
b8ce380ab92fd2ec1004cd0bfa947d6480950696f8c4da670f42a487cc8f52b9

SHA512
e1d327c823f763abea3bfba5424b7850e4c02bc2f90cf6a865ace45ecd078cc665474c9d0836e8e3f9452ba8d7c81c6b1df7c6250a03c8a2a297998cafc608cd

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe

Filesize
2.6MB

MD5
211d71bd2e87ea410f7990390866e140

SHA1
81873ad085c91853a1217ec22e211a5433914764

SHA256
c5b0c4091b5602fd081195be510fc967b4eec2c54239524e75974ad14d692013

SHA512
be979feb800b91ac22bdae27867b227332fad764e7927caa193d2c611d7fcabb820ce89dbab25511add1e326f630fbfbff23b8465d9fe3478a41a1e3d8d60d0a

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe

Filesize
2.6MB

MD5
c68fb75df3957ec7f73eb7c535883be7

SHA1
931641cc5b8465efa1e1f11ae5be842a9dc1376c

SHA256
b386d7fa57cea0484f497518ec9d2a8cd39493d83c424ee89e647ef4ab656a25

SHA512
94d07605c0a88f0e6659297dd2320ee3dd37d2a2098039c0509803e860a7c9441fe3256c4c9d601a0f5a512193109b5f1484a2b620c354a5ce90193b1cfe477c

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe

Filesize
2.6MB

MD5
692af765bb8febd1c10b2d3b73f19efd

SHA1
777d48e48ae605cff20eba967dea5ae652c2de15

SHA256
60239af40023b88ef791e53022882ea51825c6dc554a5aa64f18fcf7b5985bf4

SHA512
cd046cf21a9119a46ce66a6d105be072d8c8a295c9813f9c2210a3715b2f7fd955530024f1372ce24fe018031d9fc0715e049fa8d5582f901554d418408f92ec

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe

Filesize
2.6MB

MD5
7aac10f0cad84211221d8d475db316c0

SHA1
585072a23daac7baf2ba8ff82a34cfeb4742fc5a

SHA256
259c733f01a2d45a4f6711dc139808dfed0e047b062d9810f6c1465de3ec384a

SHA512
72e83d7ca76f3bf1551666ba6c3602544803c417756e693518a311fde2bb74307643dc7a1964b0974f3e8a8d74d8e27b6c1ebba9e6b26f37087452ebfa566e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\N9Q7SmhqYe.bat

Filesize
199B

MD5
530857985d0cdba0deb9d813f173a453

SHA1
fd5b1618e4516134d2fbb2eca7c073351b67bd3e

SHA256
cf3b9dd18cbd9a144918ba5ca3a8ec42e904045c8308586059f5b61490980e4a

SHA512
25831722f528168bd00d31a18e3e30e9d21c88cd1383090765207f09e3a22afccecd3e57499c0afd62fcd29bfc91f4982bd75d8d613ade3b55fb8a97127b07d3

Download Submit
C:\Windows\IME\taskhost.exe

Filesize
2.6MB

MD5
91e19e474daf1d83c8b98e451b65e305

SHA1
4e6959123f40d1e38f3d036698fd461c7030583c

SHA256
7726a93c07e462d964cb32354778ad85d6ffb69608d8e3a7226609b639fff4c4

SHA512
fa4271722cefa900eb8b31891f485b94250e4ef9f46309a1c89e6bcbe7af838bd153982c895ee98b7a7f12c8e722bed7767ee7887bc5ae2c98b527a83a4f1bff

Download Submit
memory/2080-8-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2080-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2080-10-0x0000000000DA0000-0x0000000000DF6000-memory.dmp

Filesize
344KB

Download
memory/2080-11-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2080-12-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2080-13-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/2080-14-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download
memory/2080-15-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/2080-16-0x0000000000C80000-0x0000000000C8E000-memory.dmp

Filesize
56KB

Download
memory/2080-17-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/2080-18-0x0000000000DF0000-0x0000000000DFA000-memory.dmp

Filesize
40KB

Download
memory/2080-9-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2080-7-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/2080-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2080-5-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2080-4-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/2080-3-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download
memory/2080-189-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2080-2-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2080-211-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2080-1-0x0000000000F40000-0x00000000011E6000-memory.dmp

Filesize
2.6MB

Download
memory/2080-218-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2184-221-0x00000000012B0000-0x0000000001556000-memory.dmp

Filesize
2.6MB

Download
memory/2184-222-0x00000000004D0000-0x0000000000526000-memory.dmp

Filesize
344KB

Download